Security initiatives here and down under

Cultivating Security, 2012

Roger Hagedorn, Cultivating Security

Security Initiatives Here and Down Under


Quick Discussion Question: What do you think of when it comes to information security?

[audience participation time]


One thing to keep in mind:

In the world of information security,

CIA = Confidentiality, Integrity and Availability

Though sometimes it refers to a certain government agency.


What do we mean by Information Security?

“the processes and methodologies designed to protect print, electronic, or any other forms of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”

SANS Institute

“Preservation of confidentiality, integrity and availability of information.”

ISO 27000


Are there any models or standards for Information Security that might be helpful?

I thought you’d never ask. . .


• NIST 800-53 + National Institute of Standards and Tech.

• FISMA = Federal Information Security Management Act

• DIACAP = DoD Information Assurance Certification and Accreditation Process

• SOX = Sarbanes-Oxley Act of 2002

• GLBA = or Gramm-Leach-Bliley Act

• PCI-DSS = Payment Card Industry Data Security Standard

• NERC = North American Electric Reliability Corporation

• CIP = Certified IRBProfessional

• ISO 27000 Series = Int’l Org. for Standardization

• HITECH Act of 2009

There’s no shortage of standards to consider:


Confused?

Overwhelmed?

These standards are complex and difficult to implement.

Nevertheless . . .


While there might not be consensus on the issue, there is an increasing recognition that every organization needs to have a strategy for defense.

Organizations are learning to assess their information security risks, and then to implement appropriate information security controls based on their needs, and using guidance and suggestions where relevant.


With so many standards, where should a person begin?


“A lot of times, enterprises just don’t know where and how, or what to do. Where’s the next dollar best spent?”

“This is about priority.”

Tony Sager, former head of the NSA’s Systems & Network Attack Center, now with the SANS Institute


Here’s where our government, along with the Australian government, offer surprisingly helpful examples.


First, one more quick definition:

Security controls are safeguards designed to avoid, counteract or minimize risks.


Recent Events in the History of Controls:

Starting in 2008, the Office of the Secretary of Defense asked the NSA for help with its cybersecurity posture. NSA was brought in because of their understanding of how cyber attacks worked and because the DoD was interested in fending off actual attacks rather than developing a theoretical approach to security.


Since the early 2000s, the NSA had been working on a list of security controls that were most effective in stopping known attacks.

The key: “no control should be made a priority unless it could be shown to stop or mitigate a known attack.”


The second key: NSA was already working on collaboration with two nonprofit organizations:

The SANS Institute — a cooperative research and education organization, “the most trusted and by far the largest source of information security training and security certification in the world.

The Center for Internet Security — “works on enhancing cyber security readiness and response of public and private sector entities.”


Eventually, more than 100 public and private organizations joined in, as well as a few companies involved in incident response, including McAfee and Mandiant.

The two main elements:1) The only justification for a control was actual attack

information. 2) The feeling among the participants that they were

active contributors to protecting the country.


The clear consensus:

Just 20 Critical Controls could address the most prevalent attacks that government, industry, and the private sector face.


The test:

The Department of State put the 20 Critical Controls up against the 3,085 attacks it underwent in 2009.


The Results:

More than 88% reduction in attacks on vulnerabilities.


On Nov 05 of this year, a new international consortium was launched to help government agencies and the private sector prioritize security defenses. Called the Consortium for CyberSecurity Action (CCA), it bases its recommendations on the most recent update of the 20 Critical Controls.


Spoiler Alert:

Most of these controls are standard procedure or “Best Practices” in network administration.Chances are that you’ve implemented many of them yourself.There really shouldn’t be any surprise here.

OK then, here we go . . .


The Main Event: the 20 Critical Controls

1 Inventory of Authorized and Unauthorized Devices

2 Inventory of Authorized and Unauthorized Software

3 Secure Configurations for Hardware and Software on all devices: mobile, laptops, workstatons, servers

4 Continuous Vulnerability Assessment and Remediation


5 Malware defenses

6 Application Software Security

7 Wireless Device Control

8 Data Recovery Capability

9 Security Skills Assessment and Training to Fill Gaps

10 Secure Configurations for Network Devices

11 Limitation and Control of Network Ports, Protocols and Services


12 Controlled Use of Administrative Privileges

13 Boundary Defense

14 Maintenance, Monitoring and Analysis of Audit Logs

15 Controlled Access Based on Need-to-Know

16 Account Monitoring and Control

17 Data Loss Prevention


18 Incident Response and Management

19 Secure Network Engineering

20 Penetration Tests and Red Team Exercises


So what about Implementation?

In a mature environment, chances are you already have most, if not all, of these 20 Critical Controls in place.

But what about smaller organizations? You can make concrete, measurable steps in improving your networks by putting into place, over time, some or most (if not all) of these controls. Yes it takes time, but it pays off. Remember:


Keep your eye on the prize:

The State Department saw a

reduction of more than 88% in attacks on their systems in the first year.


So what about those Australians Down Under?

Independently of the research we’ve discussed, the Australians developed a list of the Top 35 Mitigation Strategies that they present in order of overall effectiveness.

Like the 20 Critical Controls, these rankings are based on DSD’s analysis of reported security incidents and detected vulnerabilities.


For the sake of time, let’s just consider the Top Four Controls or Mitigating Strategies:

• Use application whitelisting to help prevent malicious software and other unapproved programs from running

• Patch applications such as PDF readers, Java, and web browsers

• Patch operating systems vulnerabilities• Minimize the number of users with administrative

privileges


According to the DSD’s Strategies to Mitigate Targeted Cyber Intrusions,

over 85% of cyber intrusions could be defeated

if organizations implemented just the first four of these strategies.


These two initiatives provide clear examples of what’s meant by “Defense in Depth”

Defense in depth is the concept of protecting a computer network with a series of defensive mechanisms suchthat if one mechanism fails, another will already be in place to thwart an attack.

SANS Institute


Thanks very much for your attention.

Any questions or commnt?

Q and ARoger Hagedorn

Email: [email protected]: www.cultivatingsecurity.com

mailto:[email protected]

http://www.cultivatingsecurity.com/


Resources

The 20 Controlshttp://www.sans.org/critical-security-controls/

The Australian Government’s 35 Controlshttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

The Center for Internet Securityhttp://www.cisecurity.org

http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/

http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm



http://www.cisecurity.org/

Security initiatives here and down under

Technology

cultivating security

security defenses

list of security controls

world of information

internet security works

history of controls

sensitive information

actual attacks